I never did say that the advice I offered is foolproof and will work 100 percent of the time; but based on my experience, it is significantly better than the alternative...

...and my initial thought is that if a company is so disinterested or dysfunctional to the point that it is more of a disadvantage than a benefit to me, I might perhaps reconsider conducting business with that company if I have other options available to me.

Fortunately — by my experience, anyway — Hilton is not one of those companies...

My guess (hope) is that you got a disinterested agent. Some companies do hide their internal groups, like security, from the customer. This leaves us to deal with someone that has no say in what the other group does or when, and if they have no means to access them or put you in touch with them it's bad. If you were able to reach out to the agent working your case, I'd bet your experience would be much better.

Yes, the sooner you report the issue the easier it would be to track down the culprit, but so far, all reports I've read have resulted in the points being returned. If you have a need to use those points soon, you may have problems getting them to advance what is expected to be returned, but worth asking.

I agree with you Roger on the point of if we were connected to the security or fraud department things would go a lot smoother. Also I've read a lot of stories of people losing hundreds of thousand of points at a time similar to me. Similar to credit card companies we need to see hotels/airline companies call the customer to confirm abnormal activity on their account such spending large amounts of digital assets in a matter of minutes. There seems to be safeguards around payments but there are no safety guards around loyalty program digital assets.

Loyalty programs are membership benefits being adapted and built up more by many companies for their loyal customers and early adapters of these programs have large amounts of credit that is being targeted by cyber criminals. I hope to see more safeguards around these programs to protect the digital assets of their members.

Account Hacked! 58k points transferred
 

So has anyone had their Hilton account broken into? I got a email saying that I had transferred 58k points to another account which I didn't. I've called to report it and a case was started (though I didn't get the follow up email yet for the affidavit). Any one know how long it takes to get your points back? I was looking to use them and now it's all gone (hopefully for now)!

There really does seem to be an uptick again of hacked accounts, everytime I see a new thread I go and check my account. Makes me think I need to spend some points...

Although it's quite common for the desire to spend when you don't have, if you have travel plans in the near term, let HH know and they may be willing to restore your points quicker than later, or front you the needed points. It doesn't hurt to ask, but be ready to make solid plans and not just a ploy to get the points now.

I had 960K points hacked last week on the 25th and just like you they did the points transfer to an airline. On Friday Hilton restored my points and gave me a new HHonors account number. So it took me 72 hours.

Just an update:

I got my 960K points restored to a new HHonors account number. The whole process took 72 hours. Very pleased with the results.

I'm glad this bad situation had a good outcome, gauntlet3h.

Information from more than a dozen people in Hilton Honors Customer Care, the Diamond Desk and Guest Assistance indicates that there has been a substantial uptick in theft of points over the past couple of weeks and that the fraud was in most cases carried out through points.com . Hilton seems to be following their usual procedure of looking into the cases and refunding the points within two weeks. However, no word at all from the company of the extent of the fraud.

Neither have they made any public mention of it, or what members who escaped harm this time might do to protect themselves from an attack using the same method or something similar. I understand they've asked people who had points stolen to change the preferred email address on their account. There also does not appear to be any movement toward enhancing security on Honors accounts beyond the current requirement of an online password, or, in the case of phone contact, verifying the member's name plus two of their email address, phone number or Honors account number.

I just noticed Delta.com has a new advisory alert on front page this morning -

Advisory! - Protect Your Data

Which leads me to believe there is a similar recurrence over at Delta with redemptions.

Two further updates from reps at Hilton:

1) The points.com route for the recent theft of points appears to be combined with or in addition to an exploit of the new points pooling function. Multiple target Honors accounts are set to share points with [what is probably] a perpetrator's account from which the points are then redeemed.

2) Hilton announced to their reps today that the tie up with Amazon that will allow Honors points to be used on Amazon is now delayed indefinitely. I think it no coincidence. It appears likely that the recent wave of thefts was a test run and that a much larger exploit would be unleashed once the stolen points could be used on Amazon.

Thanks for the info. I personally think that if they restricted redemption to actual Hilton related items like stays or even meals at properties, there were be a severe reduction in these point thefts

It's not wise for companies to publish how their systems were hacked. Even if they plug that one hole it leads people to believe they are lax in security and hackers will try other avenues. How they recover from the hacks tells how much they appreciate their customers. Some systems will that many weeks to research the situation and if they have the ability to point the finger at the customer being behind the loss, they will deny restoring the points.

With many sites now using an email address as the account name, it's not far fetched to think the user will use their email password for access. This causes a cascading failure should they get hacked. Personally, I use separate addresses for each account even if it's not the username so I can see who's feeding my address to spammers.

It would be pretty easy to come across one of these and find or figure out one of the other two. Seems pretty lax to me considering the value of points floating out there. On the website there is an option to pull up a res with the res# and last name. It's not working now and prompts you to log in to view/change.